Even amongst security professionals there is sometimes a modicum of confusion about the difference between ‘Risk’ and ‘Threat’. This apparent misperception is of concern, for if security and intelligence professionals do not understand the difference between the two, they will not be able to establish the true Risk to their assets (physical or virtual).
David Strachan-Morris, (Previous Manager, Information and Intelligence Services, of Pilgrims Group Ltd) states in his 2010 article, Threat and Risk: What’s the Difference that: “Simply put, ‘threat’ is a function of the enemy’s capability and intent to conduct attacks, whereas ‘risk’ is a function of the probability that your organisation will be involved in an attack (either as a deliberate target or just in the wrong place at the wrong time) and the harm that such an attack would cause. Even more simply, ‘threat’ = capability x intent, whereas ‘risk’ = probability x harm”.
DS-M was basing this analogy on a military scenario which, although probably very relevant in this example, in my opinion does not always apply in the generic sense when applied to any assets, whatever they are and wherever they are located. I agree that it is generally accepted that a simple definition of ‘Threat’ is based on ‘capability and intent’. However, I question his explanation of Risk being just a combination of ‘probability and harm (impact)’. To establish a Risk factor for an asset, you must; consider the different Threats posed to the asset in order to identify areas of possible weakness that may prove vulnerable to said Threats, take into consideration any areas of mitigation that may lessen the impact or consequence and then one can establish the potential (rather than ‘probability’) for Risk.
There are probably as many definitions for the terms ‘Assets’, ‘Threats’, and ‘Risks’ as there are formulas which try to quantify the size of the Risk. However there is one fairly simple equation that I believe establishes the Risk factor by examining the nature of the Threats, any perceived vulnerabilities, and the impact the Threat materialising may have on the asset. The equation is:
The Risk (to an Asset) =
Threat x Vulnerability x Impact/Consequence
At this point it might help if I introduce some of the definitions that I believe are required to help to understand how the equation is established.
- Asset – Anything that is deemed to be of value (both physical and virtual) such as; personnel, material, operational activities, information, which we need to protect. Personnel may include employees and customers as well as contractors or visitors. Material assets consist of items that can be assigned a value to either the owner, or perhaps as importantly, the adversary. Information may include sensitive information, databases, systems software, and critical records. Intangible assets include reputation and proprietary information. It is important to understand the function of the asset and the form it is in.
- Threat – An action, potential action, or inaction, likely to cause damage, harm or loss.
- Vulnerability – Weaknesses or gaps in the protection of assets that can be exploited by Threats in order to compromise the asset.
- Risk – The potential or possibility of compromise, loss, injury or other adverse consequence. Risk comes from: “A Threat, or combination of Threats, exploiting vulnerability in order to adversely impact upon an asset.”
The Asset. In order to establish what the Risks are that are faced by an asset, it is important to identify the true value of an asset and its worth to its owner, and the adversary. This can be done by identifying what the consequence of the loss or compromise would be to the owner, but conversely also to try to establish if the asset would be of value to an adversary, even if it had no impact on the business if lost or compromised. An example of this would be nuclear or radiological waste; this has no value to the business, and indeed probably has a negative value, but to a terrorist who wants to build an Improvised Radiological Dispersal Device, it would be of immense value. The other aspect to examine, in regard to the protection of assets against some Threats, is the nature of the asset. If the asset consists of hundreds of tons of material, what needs to be considered is how the Threat will actually be manifested i.e. how will the adversary manage to steal, or sabotage, enough material to be of any use or value? If the asset is in the form of digitally held information then again an analysis of how the information can be compromised, both physically and through cyber crime, needs to be addressed.
The Threats. There are more aspects to Threats than being ‘Credible and Realistic’. Other elements that need to be taken into consideration in order to determine whether or not a Threat is credible and realistic include:
- Resources: Has the adversary the resources to mount a Threat? How can the asset be compromised or lost i.e. what tools or equipment would be required by the adversary in order to compromise the asset?
- Capabilities: What are the skills, knowledge and capabilities of the adversary? How can they get access to the asset?
- Intent: Has the adversary the motivation to mount the Threat?
- Precedence: Has a similar Threat materialised before? When, where and how?
- Likelihood: What are the chances of the Threat happening?
All of the above must be carefully considered before any real analysis of the Threat can realistically be made. However, if the consequence of the loss or compromise of the asset would be unacceptable to the owner, then it should be assumed that the Threat is credible and measures need to be taken to ensure that it is protected accordingly.
The Risk to any particular asset is therefore evaluated through a combination of functions: Threats to the asset exploiting any Vulnerabilities that may exist which cause the loss or compromise of the asset. By using the equation Risk = Threat x Vulnerability x Consequence/Impact you can establish the significance of the Risk and begin to prioritise and plan Risk responses accordingly.
For instance: if the Threat is high, the Vulnerabilities are high (i.e. less than adequate levels of protection exist) but the Consequences are insignificant, then the Risk can either be accepted or ignored. Conversely, if the Threat is low, but there are significant Vulnerabilities surrounding the asset, and the Consequences of the Threat materialising are severe, mitigating action must be taken to lessen the Vulnerabilities, or the asset must be transferred or removed to a more secure location (if plausible).